CVE-2026-33013
Received Received - Intake
Denial of Service in Micronaut Form-Urlencoded Body Binding

Publication date: 2026-03-20

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in theJsonBeanPropertyBinder::expandArrayToThreshold, which allows remote attackers to cause a DoS (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name). This issue has been fixed in versions 4.10.16 and 3.10.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33013
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
objectcomputing micronaut to 3.10.5 (exc)
objectcomputing micronaut From 4.0.0 (inc) to 4.10.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The primary and immediate mitigation step is to upgrade the Micronaut framework to a fixed version. The vulnerability has been patched in Micronaut Core versions 4.10.16 and 3.10.5.

No known workarounds exist other than upgrading to these fixed versions to prevent exploitation of this denial of service vulnerability.

Executive Summary

CVE-2026-33013 is a high-severity denial of service (DoS) vulnerability in the Micronaut Framework, which is a JVM-based Java framework. The issue occurs in the form-urlencoded body binding process, specifically in the JsonBeanPropertyBinder::expandArrayToThreshold method. The vulnerability arises because the method does not correctly handle descending array index orders when processing form parameters.

When a crafted HTTP POST request contains indexed form parameters in descending order (for example, authors[1].name followed by authors[0].name), the binder enters a non-terminating loop. This causes excessive CPU usage, memory exhaustion, and eventually an OutOfMemoryError, leading to a denial of service condition.

This vulnerability affects Micronaut versions prior to 4.10.16 and 3.10.5 and has been fixed in those versions.

Impact Analysis

This vulnerability can cause a denial of service (DoS) condition in applications using vulnerable versions of the Micronaut Framework. An attacker can send specially crafted form-urlencoded HTTP POST requests with descending array indices, triggering a non-terminating loop in the server.

The impact includes sustained high CPU usage, memory exhaustion, and eventually an OutOfMemoryError, which can crash or make the application unresponsive. This disrupts the availability of the affected service, potentially causing downtime or degraded performance.

No confidentiality or integrity impacts are associated with this vulnerability, but the availability impact is high.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by sending crafted HTTP POST requests with form-urlencoded parameters that use descending array indices, which trigger the denial of service condition. For example, sending a POST request with parameters such as 'authors[1].name' followed by 'authors[0].name' causes the vulnerable Micronaut application to enter a non-terminating loop, resulting in high CPU and memory usage."}, {'type': 'paragraph', 'content': 'A practical command to test for this vulnerability is using curl to send such a crafted request:'}, {'type': 'list_item', 'content': "curl -v -X POST 'http://127.0.0.1:8080/submit' -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'authors[1].name=RobertGalbraith' --data-urlencode 'authors[0].name=JKRowling'"}, {'type': 'paragraph', 'content': 'If the system is vulnerable, this request will cause excessive CPU and memory consumption, potentially leading to an OutOfMemoryError or application unresponsiveness.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33013. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart